diff --git a/lib/otw_sanitize/embed_sanitizer.rb b/lib/otw_sanitize/embed_sanitizer.rb
index a9ffaf55431..ffe47feeff5 100644
--- a/lib/otw_sanitize/embed_sanitizer.rb
+++ b/lib/otw_sanitize/embed_sanitizer.rb
@@ -161,7 +161,7 @@ def sanitize_embed
             allowfullscreen height src type width
           ] + optional_embed_attributes,
           "iframe" => %w[
-            allowfullscreen frameborder height src title
+            allow allowfullscreen frameborder height src title
             class type width
           ]
         }
@@ -171,6 +171,7 @@ class type width
         disable_scripts(node)
         node["flashvars"] = "" unless allows_flashvars?
       end
+      restrict_iframe_allow_attribute if node_name == "iframe"
       { node_allowlist: [node] }
     end
 
@@ -185,6 +186,18 @@ def disable_scripts(embed_node)
       end
     end
 
+    # Restrict the iframe "allow" attribute to only the "fullscreen" directive.
+    # Removes the attribute entirely if "fullscreen" is not present.
+    def restrict_iframe_allow_attribute
+      return if node["allow"].blank?
+
+      if node["allow"].split(/[\s;,]+/).include?("fullscreen")
+        node["allow"] = "fullscreen"
+      else
+        node.remove_attribute("allow")
+      end
+    end
+
     def optional_embed_attributes
       if allows_flashvars?
         %w[wmode flashvars]
diff --git a/spec/lib/html_cleaner_spec.rb b/spec/lib/html_cleaner_spec.rb
index 457e7703a05..f2efbc26bac 100644
--- a/spec/lib/html_cleaner_spec.rb
+++ b/spec/lib/html_cleaner_spec.rb
@@ -63,6 +63,31 @@ def one_cell_table(content)
           expect(result).to be_empty
         end
 
+        it "keeps allow=\"fullscreen\" on iframes from allowed sources" do
+          html = '<iframe width="560" height="315" src="//vimeo.com/embed/123" allow="fullscreen" frameborder="0"></iframe>'
+          result = sanitize_value(field, html)
+          expect(result).to include('allow="fullscreen"')
+        end
+
+        it "restricts allow attribute to just fullscreen" do
+          html = '<iframe width="560" height="315" src="//vimeo.com/embed/123" allow="fullscreen; autoplay" frameborder="0"></iframe>'
+          result = sanitize_value(field, html)
+          expect(result).to include('allow="fullscreen"')
+          expect(result).not_to include("autoplay")
+        end
+
+        it "strips allow attribute if it does not include fullscreen" do
+          html = '<iframe width="560" height="315" src="//vimeo.com/embed/123" allow="autoplay" frameborder="0"></iframe>'
+          result = sanitize_value(field, html)
+          expect(result).not_to include("allow=")
+        end
+
+        it "keeps legacy allowfullscreen on iframes" do
+          html = '<iframe width="560" height="315" src="//vimeo.com/embed/123" allowfullscreen frameborder="0"></iframe>'
+          result = sanitize_value(field, html)
+          expect(result).to include("allowfullscreen")
+        end
+
         %w[criticalcommons.org].each do |source|
           it "doesn't convert src to https for #{source}" do
             html = '<iframe width="560" height="315" src="http://' + source + '/embed/123" frameborder="0"></iframe>'